Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create Admin users with control over one or more facilities #167

Open
bglusman opened this issue Oct 31, 2017 · 3 comments
Open

Create Admin users with control over one or more facilities #167

bglusman opened this issue Oct 31, 2017 · 3 comments

Comments

@bglusman
Copy link
Collaborator

bglusman commented Oct 31, 2017

Currently our users are exclusively guests, authenticated via Guardian JWT links, and we use a basic auth hex module to manage admin areas of the site with a single login.

PR #161 adds multi-facility support, but adminsitration is still global. We either need to extend some users with limited admin priveleges and provide a proper login based authentication for them (while maintaining some users who do not have email etc for JWT/link based login), or make a new admin type of user managed seperately. Whoever tackles this can decide best approach, but probably using https://github.com/smpallen99/coherence or https://github.com/ueberauth/ueberauth are the two main approaches, but alternatives are welcome. I would guess slight bias toward ueberauth starting with https://github.com/ueberauth/ueberauth_identity because we already have Guardian and want that to continue working, and I beleive they are maximally interoperable, unless we create an entirely new user type, in which case Coherence may be equally easy. For now, an admin should probably have complete control of any facility they're linked to, and they shouldn't be restricted to only one facility. We also want to entirely replace the current basic auth system and create a super-admin role that can modify any facility

This was referenced Oct 31, 2017
@komizutama
Copy link
Collaborator

I think probably a few tiers of auth..

  1. OP admin: (godlike control over all, though we probably do want to have action logging at some point. )
  2. Site Admin: (Control over stock and users at specific locations could be granted this access to multiple locations or one)
  3. Volunteer/Worker: Can enable a client/family size.
  4. Client: Can make orders.

@komizutama
Copy link
Collaborator

My understanding is that after enabling guardian it gets a lot easier to enable things like Google SSO which in the US is very useful since they give out free business accounts to non-profits and are thereby one of the favorite email suppliers for non-profits... makes it easy to enable permissions to people based on their agency.

@bglusman
Copy link
Collaborator Author

Agreed re Ueberauth (not Guardian), another good reason for that bias.

For additional tiers of auth, that's fine but let's avoid too much scope creep here, we can add followup stories (or new stories to this epic), but let's try and keep the stories well scoped and small/iterative.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants